CODEWITHSUNDEEP
c#.netowin
Dan Dinu
Dan Dinu

Reputation: 33408

request authorization in OWIN middleware using also paramters from request

I'm running an OWIN server with multiple controllers. I have an OWIN middleware which handles client certificate validation.

For my new controller I need an extra authorization step.

My controller POSTurl will be: www.myUrl.com/api/newController/{service_id}. The client will pass a client certificate alongside. A client is only authorized to change specific service_ids. I need to verify if client X with certificate X is authorized to modify service_id_1 passed in the URL parameters. I will have the client_cert -> service_ids mapping stored.

Which is the best way to do this for a single controller? I assume adding an Owin middleware won't be the proper way as all requests for all controllers will fly through it.

Upvotes: 0

Views: 681

Answers (1)

Mohammed Swillam
Mohammed Swillam

Reputation: 9242

I think the best solution here is to check for proper access rights inside your controller action, or to create a custom authorization attribute, and implement your specific scenario inside.

for inline checking inside your action I think you know what to do, for the custom authorization attribute, here is what you need to do.

you will need to create a custom authorization attribute and override the OnAuthorization method, then inside it you will need to read the submitted certificate from the request parameters, and make the check to either authorize or not-authorize the caller from the current action based on both the certificate and the requested serviceID.

an example of creating a custom authorization attribute can be found below:

public class CertificateAuthorizationAttribute : AuthorizeAttribute
{      
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        // your custom logic here
        base.OnAuthorization(actionContext);
    }
}

My suggestion: because this is specific to this action method and not a general authorization problem, I would go for making the check inside your method, and if this needs to scale for more than one controller/action, then I may go for a custom authorization attribute.

Upvotes: 1

Related Questions